Debian Security Advisory

    • Offizieller Beitrag

    Package : ibus

    CVE ID : CVE-2019-14822

    Debian Bug : 940267

    Simon McVittie reported a flaw in ibus, the Intelligent Input Bus. Due to a misconfiguration during the setup of the DBus, any unprivileged user could monitor and send method calls to the ibus bus of another user, if able to discover the UNIX socket used by another user connected on a graphical environment. The attacker can take advantage of this flaw to intercept keystrokes of the victim user or modify input related configurations through DBus method calls.

    For the oldstable distribution (stretch), this problem has been fixed in version 1.5.14-3+deb9u2.

    For the stable distribution (buster), this problem has been fixed in version 1.5.19-4+deb10u1.

    We recommend that you upgrade your ibus packages.

    For the detailed security status of ibus please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ibus

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : opendmarc

    CVE ID : CVE-2019-16378

    Debian Bug : 940081

    It was discovered that OpenDMARC, a milter implementation of DMARC, is prone to a signature-bypass vulnerability with multiple From: addresses.

    For the oldstable distribution (stretch), this problem has been fixed in version 1.3.2-2+deb9u2.

    For the stable distribution (buster), this problem has been fixed in version 1.3.2-6+deb10u1.

    We recommend that you upgrade your opendmarc packages.

    For the detailed security status of opendmarc please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/opendmarc

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.3

    CVE ID : CVE-2019-11036 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041

    CVE-2019-11042

    Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Missing sanitising in the EXIF extension and the iconv_mime_decode_headers() function could result in information disclosure or denial of service.

    For the stable distribution (buster), these problems have been fixed in version 7.3.9-1~deb10u1.

    We recommend that you upgrade your php7.3 packages.

    For the detailed security status of php7.3 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/php7.3

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : bird

    CVE ID : CVE-2019-16159

    Daniel McCarney discovered that the BIRD internet routing daemon incorrectly validated RFC 8203 messages in it's BGP daemon, resulting in a stack buffer overflow.

    For the stable distribution (buster), this problem has been fixed in version 1.6.6-1+deb10u1. In addition this update fixes an incomplete revocation of privileges and a crash triggerable via the CLI (the latter two bugs are also fixed in the oldstable distribution (stretch) which is not affected by CVE-2019-16159).

    We recommend that you upgrade your bird packages.

    For the detailed security status of bird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/bird

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.0

    CVE ID : CVE-2019-11034 CVE-2019-11035 CVE-2019-11036 CVE-2019-11038

    CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042

    Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Missing sanitising in the EXIF extension and the iconv_mime_decode_headers() function could result in information disclosure or denial of service.

    For the oldstable distribution (stretch), these problems have been fixed in version 7.0.33-0+deb9u5.

    We recommend that you upgrade your php7.0 packages.

    For the detailed security status of php7.0 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/php7.0

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : expat

    CVE ID : CVE-2019-15903

    Debian Bug : 939394

    It was discovered that Expat, an XML parsing C library, did not properly handled internal entities closing the doctype, potentially resulting in denial of service or information disclosure if a malformed XML file is processed.

    For the oldstable distribution (stretch), this problem has been fixed in version 2.2.0-2+deb9u3.

    For the stable distribution (buster), this problem has been fixed in version 2.2.6-2+deb10u1.

    We recommend that you upgrade your expat packages.

    For the detailed security status of expat please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/expat

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118

    CVE-2019-15902

    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

    CVE-2019-14821

    Matt Delco reported a race condition in KVM's coalesced MMIO

    facility, which could lead to out-of-bounds access in the kernel.

    A local attacker permitted to access /dev/kvm could use this to

    cause a denial of service (memory corruption or crash) or possibly

    for privilege escalation.

    CVE-2019-14835

    Peter Pi of Tencent Blade Team discovered a missing bounds check

    in vhost_net, the network back-end driver for KVM hosts, leading

    to a buffer overflow when the host begins live migration of a VM.

    An attacker in control of a VM could use this to cause a denial of

    service (memory corruption or crash) or possibly for privilege

    escalation on the host.

    CVE-2019-15117

    Hui Peng and Mathias Payer reported a missing bounds check in the

    usb-audio driver's descriptor parsing code, leading to a buffer

    over-read. An attacker able to add USB devices could possibly use

    this to cause a denial of service (crash).

    CVE-2019-15118

    Hui Peng and Mathias Payer reported unbounded recursion in the

    usb-audio driver's descriptor parsing code, leading to a stack

    overflow. An attacker able to add USB devices could use this to

    cause a denial of service (memory corruption or crash) or possibly

    for privilege escalation. On the amd64 architecture, and on the

    arm64 architecture in buster, this is mitigated by a guard page

    on the kernel stack, so that it is only possible to cause a crash.

    CVE-2019-15902

    Brad Spengler reported that a backporting error reintroduced a

    spectre-v1 vulnerability in the ptrace subsystem in the

    ptrace_get_debugreg() function.

    For the oldstable distribution (stretch), these problems have been fixed in version 4.9.189-3+deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 4.19.67-2+deb10u1.

    We recommend that you upgrade your linux packages.

    For the detailed security status of linux please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/linux

    • Offizieller Beitrag

    Package : spip

    CVE ID : CVE-2019-16391 CVE-2019-16392 CVE-2019-16393 CVE-2019-16394

    It was discovered that SPIP, a website engine for publishing, would allow unauthenticated users to modify published content and write to the database, perform cross-site request forgeries, and enumerate registered users.

    For the oldstable distribution (stretch), these problems have been fixed in version 3.1.4-4~deb9u3.

    For the stable distribution (buster), these problems have been fixed in version 3.2.4-1+deb10u1.

    We recommend that you upgrade your spip packages.

    For the detailed security status of spip please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/spip

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lemonldap-ng

    CVE ID : CVE-2019-15941

    It was discovered that the Lemonldap::NG web SSO system did not restrict OIDC authorization codes to the relying party.

    For the stable distribution (buster), this problem has been fixed in version 2.0.2+ds-7+deb10u2.

    We recommend that you upgrade your lemonldap-ng packages.

    For the detailed security status of lemonldap-ng please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/lemonldap-ng

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : golang-1.11

    CVE ID : CVE-2019-16276

    It was discovered that the Go programming language did accept and normalize invalid HTTP/1.1 headers with a space before the colon, which could lead to filter bypasses or request smuggling in some setups.

    For the stable distribution (buster), this problem has been fixed in version 1.11.6-1+deb10u2.

    We recommend that you upgrade your golang-1.11 packages.

    For the detailed security status of golang-1.11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/golang-1.11

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : e2fsprogs

    CVE ID : CVE-2019-5094

    Debian Bug : 941139

    Lilith of Cisco Talos discovered a buffer overflow flaw in the quota code used by e2fsck from the ext2/ext3/ext4 file system utilities.

    Running e2fsck on a malformed file system can result in the execution of arbitrary code.

    For the oldstable distribution (stretch), this problem has been fixed in version 1.43.4-2+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 1.44.5-1+deb10u2.

    We recommend that you upgrade your e2fsprogs packages.

    For the detailed security status of e2fsprogs please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/e2fsprogs

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : exim4

    CVE ID : CVE-2019-16928

    A buffer overflow flaw was discovered in Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code.

    For the stable distribution (buster), this problem has been fixed in version 4.92-8+deb10u3.

    We recommend that you upgrade your exim4 packages.

    For the detailed security status of exim4 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/exim4

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : file-roller

    CVE ID : CVE-2019-16680

    It was discovered that file-roller, an archive manager for GNOME, does not properly handle the extraction of archives with a single ./../ in a file path. An attacker able to provide a specially crafted archive for processing can take advantage of this flaw to overwrite files if a user is dragging a specific file or map to a location to extract to.

    For the oldstable distribution (stretch), this problem has been fixed in version 3.22.3-1+deb9u1.

    We recommend that you upgrade your file-roller packages.

    For the detailed security status of file-roller please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/file-roller

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpa

    CVE ID : CVE-2019-13377 CVE-2019-16275

    Debian Bug : 934180 940080

    Two vulnerabilities were found in the WPA protocol implementation found in wpa_supplication (station) and hostapd (access point).

    CVE-2019-13377

    A timing-based side-channel attack against WPA3's Dragonfly handshake when

    using Brainpool curves could be used by an attacker to retrieve the

    password.

    CVE-2019-16275

    Insufficient source address validation for some received Management frames

    in hostapd could lead to a denial of service for stations associated to an

    access point. An attacker in radio range of the access point could inject a

    specially constructed unauthenticated IEEE 802.11 frame to the access point

    to cause associated stations to be disconnected and require a reconnection

    to the network.

    For the oldstable distribution (stretch), these problems have been fixed in version $stretch_VERSION.

    For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u1.

    We recommend that you upgrade your wpa packages.

    For the detailed security status of wpa please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/wpa

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssl

    CVE ID : CVE-2019-1547 CVE-2019-1549 CVE-2019-1563

    Three security issues were discovered in OpenSSL: A timing attack against ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default.

    For the oldstable distribution (stretch), these problems have been fixed in version 1.1.0l-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 1.1.1d-0+deb10u1.

    We recommend that you upgrade your openssl packages.

    For the detailed security status of openssl please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openssl

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssl1.0

    CVE ID : CVE-2019-1547 CVE-2019-1563

    Two security issues were discovered in OpenSSL: A timing attack against ECDSA and a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey().

    For the oldstable distribution (stretch), these problems have been fixed in version 1.0.2t-1~deb9u1.

    We recommend that you upgrade your openssl1.0 packages.

    For the detailed security status of openssl1.0 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openssl1.0

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : subversion

    Debian Bug : 936034

    The security fixes for the HTTP/2 code in Apache 2 shipped in DSA 4509 unveiled a bug in Subversion which caused a regression in mod_dav_svn when used with HTTP/2.

    For the oldstable distribution (stretch), this problem has been fixed in version 1.9.5-1+deb9u5.

    We recommend that you upgrade your subversion packages.

    For the detailed security status of subversion please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/subversion

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libapreq2

    CVE ID : CVE-2019-12412

    Debian Bug : 939937

    Max Kellermann reported a NULL pointer dereference flaw in libapreq2, a generic Apache request library, allowing a remote attacker to cause a denial of service against an application using the library (application

    crash) if an invalid nested "multipart" body is processed.

    For the oldstable distribution (stretch), this problem has been fixed in version 2.13-7~deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 2.13-7~deb10u1.

    We recommend that you upgrade your libapreq2 packages.

    For the detailed security status of libapreq2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libapreq2

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : jackson-databind

    CVE ID : CVE-2019-12384 CVE-2019-14439 CVE-2019-14540 CVE-2019-16335

    CVE-2019-16942 CVE-2019-16943

    Debian Bug : 941530 940498 933393 930750

    It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.

    For the oldstable distribution (stretch), these problems have been fixed in version 2.8.6-1+deb9u6.

    For the stable distribution (buster), these problems have been fixed in version 2.9.8-3+deb10u1.

    We recommend that you upgrade your jackson-databind packages.

    For the detailed security status of jackson-databind please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/jackson-databind

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssh

    Debian Bug : 941663

    A change introduced in openssl 1.1.1d (which got released as DSA 4539-1) requires sandboxing features which are not available in Linux kernels before 3.19, resulting in OpenSSH rejecting connection attempts if running on an old kernel. This does not affect Linux kernels shipped in Debian oldstable/stable, but may affect buster systems which are running on an older kernel.

    For the stable distribution (buster), this problem has been fixed in version 1:7.9p1-10+deb10u1.

    We recommend that you upgrade your openssh packages.

    For the detailed security status of openssh please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openssh

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/